API Reference
How to automate obfuscation using the REST API.
The REST API allows external systems to submit scripts to the obfuscation engine.
Authentication
The API requires an API key. Create and manage keys in the Account tab of the dashboard.
Include the API key in the Authorization header using the Bearer schema.
Authorization: Bearer YOUR_API_KEY
API Versioning
The current active version of the Obscurau API is v2. All endpoints should be prefixed with /v2/ (e.g., https://api.obscurau.net/v2/obfuscate).
Older endpoints (such as v1) are considered deprecated and may no longer receive updates or support the latest engine options.
Obfuscate
POST https://api.obscurau.net/v2/obfuscate
This endpoint accepts a Lua/Luau script and engine configuration parameters. On success, it returns the obfuscated script as a downloadable file.
There are three ways to submit your script:
Method 1: File Upload (multipart/form-data)
Upload your .lua or .luau file directly. This is the simplest method for scripts of any size.
| Field | Type | Description |
|---|---|---|
script | file | Required. The .lua or .luau file to obfuscate. |
data | string | A JSON string containing targetVersion, optimizationLevel, and options. |
Example (curl):
curl -X POST https://api.obscurau.net/v2/obfuscate \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "script=@./my-script.lua" \
-F 'data={"options":{"targetVersion":"Roblox","optimizationLevel":"Level 2","intenseVmStructure":true,"disableLineInformation":true}}' \
-o output.lua
The filename is read from the uploaded file. You can override it by adding a filename key inside the data JSON.
Method 2: Base64-encoded JSON
Encode your script to base64 before sending. This prevents JSON escaping issues for scripts with special characters.
| Field | Type | Description |
|---|---|---|
scriptBase64 | string | Required. Base64-encoded source code. |
filename | string | The original filename (e.g., script.lua). Auto-generated if omitted. |
options | object | Required. Engine options (including target and optimization level). |
curl -X POST https://api.obscurau.net/v2/obfuscate \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"scriptBase64": "'$(base64 -i ./my-script.lua)'",
"filename": "my-script.lua",
"options": {
"targetVersion": "Roblox",
"optimizationLevel": "Level 2",
"intenseVmStructure": true,
"disableLineInformation": true
}
}' \
-o output.lua
Options Schema
The options object configures how the engine obfuscates your script. Some options require specific plans.
| Option | Type | Description | Required Plan |
|---|---|---|---|
targetVersion | string | Required. The target runtime (Roblox, FiveM, Luau, LuaJIT, Lua 5.1 - Lua 5.5, World of Warcraft, Garry's Mod, Warcraft 3). | All |
optimizationLevel | string | Required. The optimization strength (Level 1, Level 2, Level 3). | All |
disableLineInformation | boolean | Removes debug line mapping for smaller output size. | All |
prettyPrint | boolean | Formats output with indentation instead of minification. | All |
enableFfiLibrary | boolean | Preserves FFI specific logic for LuaJIT targets. | All |
intenseVmStructure | boolean | Enhances VM instruction complexity to combat static analysis. | Starter+ |
useDebugLibrary | boolean | Adds anti-tamper checks utilizing the debug library. | Starter+ |
staticEnvironment | boolean | Inlines environmental globals for speed and security. | Starter+ |
enforcePlaceIdLock | boolean | (Roblox only) Prevents script from running outside authorized Place IDs. | Professional+ |
enableGcFixes | boolean | Hardens garbage collection loops for complex states. | Business+ |
vmCompression | boolean | Compresses the bytecode payload aggressively. | Business+ |
enableCompatibilityMode | boolean | Ensures maximum compatibility across custom executor environments. | Business+ |
hardcodeGlobals | boolean | Directly hardcodes environment calls instead of fetching them. | Business+ |
licenseKey | string | Binds the output to a specific license key validation system. | PAYG+ |
Response
Success (200 OK)
The response body contains the obfuscated script as a binary file download (Content-Type: application/octet-stream). The Content-Disposition header provides a suggested filename.
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="main.obfuscated.lua"
Save the response body directly to a file (use -o output.lua with curl).
Error (4xx / 5xx)
On failure, the response is a JSON object with an error field.
{
"error": "targetVersion is invalid"
}
Common error codes:
| Status | Meaning |
|---|---|
| 400 | Invalid request body, missing fields, or invalid option values. |
| 401 | Missing or invalid API key. |
| 403 | Plan restriction (e.g., option requires a higher plan) or not enough tokens. |
| 405 | Wrong HTTP method (use POST). |
| 408 | Request timeout. Job is queued but took >55s to complete and continues running in background. You can poll the job status using the jobId returned in the response. |
| 429 | Too many requests. Concurrent obfuscation limit reached for your plan. |
| 500 | Engine execution failed. Tokens are automatically refunded on engine errors. |
Check Job Status
GET https://api.obscurau.net/v2/obfuscate/:jobId
If your initial POST request times out with a 408 status code, the background obfuscation engine will continue processing your script. You can poll this endpoint using the jobId returned in the 408 response to retrieve the status or download the completed file.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
jobId | string | Required. The UUID of the job returned from a 408 Request Timeout response. |
Example (curl):
curl -X GET https://api.obscurau.net/v2/obfuscate/fc230067-dce9-4748-884c-1ab131a2f0e7 \
-H "Authorization: Bearer YOUR_API_KEY" \
-o output.lua
Responses
202 Accepted (Still Processing)
The job is still in the queue or running. Wait a few seconds and try again.
{
"status": "running",
"jobId": "fc230067-dce9-4748-884c-1ab131a2f0e7"
}
200 OK (Success)
Returns the obfuscated script as a binary file download (Content-Type: application/octet-stream).
404 Not Found
The jobId is invalid, expired (jobs are cleared after 7 days), or does not belong to your account.
4xx / 5xx (Failed)
The engine failed to obfuscate the script. Tokens are automatically refunded.
{
"error": "Engine execution failed",
"status": "failed"
}